SOC 2 Type II

Legacy Labs maintains a SOC 2 Type II report against the Security and Availability Trust Service Criteria, refreshed annually by a third-party auditor.

Continuous controls monitoring runs year-round. Any control exception is tracked to closure inside our risk register and surfaced in the next report cycle.

The report covers the Legacy Labs control plane, agent runtime, LLM gateway, audit log stream, and customer portal. Customer-operated components deployed inside your cloud tenant are covered by your own SOC 2 boundary and our shared-responsibility exhibit.

Email security@getlegacylabs.com from a verifiable domain. We return a password-protected PDF under mutual NDA. Requests are typically fulfilled within one business day.

• Quarterly access reviews with signed evidence.
• MFA required for every operator, enforced at IdP.
• Role-based access at the action level, not just the resource.
• Vulnerability management with SLA-bound remediation.
• Backup + restore tested quarterly, results logged to the risk register.
• Security awareness training annually, with phishing drills.